Microsoft detects fall in fake antivirus traffic

Rogue security programs that try to trick the user into paying to remove a false virus detection have been around for a while, the earliest dating back to 2007. The software is clever, using different names and brands to cover its tracks, and clearly their perpetrators make money.

Now though researchers at Microsoft's Malware Protection Center are reporting a downward trend in the traffic generated by some of the most popular rogues over the past 12 months.

Writing on the Malware Protection Center blog Microsoft antivirus researcher Daniel Chipiristeanu says, "It's likely this has happened due to the antimalware industry's intense targeting of these rogues in our products, and better end-user awareness and security practices. In particular, greater education about the social engineering technique the rogues use, and the large number of legitimate, free antivirus products available on the market appear to have had an impact on a user's willingness to pay for such pests".

That's the good news. The bad news is that as the malware world's big players move away from trying to socially engineer users into paying for fake security others are moving in to fill the gap. Microsoft highlights Rogue:Win32/Defru for example which uses the Hosts file to display a fake scan when users try to access websites.

At the moment Defru is targeted mainly against Russian speakers and tries to imitate a Microsoft security message. It adds itself to the Windows registry allowing it to persist at reboot. If users opt to pay up they're taken to Payeer.com which is a legitimate payment portal, though of course after you've paid the infection doesn't get removed.

Chipiristeanu concludes, "We want to remind you again that there are free security solutions such as Microsoft Security Essentials. Before paying for a product (either a security product or any other) make a thorough investigation to make sure that it is a legitimate product and it is not fake or a copy of a free one".